Netherlands Study: Spam Comes from the Wrong Side of the Tracks

If the Internet universe was analogous to the Star Wars universe, then Spam wouldn’t be the Emperor. Nor Darth Vader. It wouldn’t even be Boba Fett. As slimy as spammers are, they wouldn’t be in the same discussion as Jabba the Hutt or General Grievous. No sir. At very best, spammers would be likened to Salacious Crumb, Jabba’s creepy little rat-like pet, and that’s a perfect analogy of the role spammers play in the Internet universe.

As it turns out, the University of Twente, in the Netherlands, agrees with that assessment, sort of. Giovane Moura of the University’s Centre for Telematics and Information Technology recently published a study where more than 42,000 Autonomous System Numbers (ASNs) were monitored online using the Composite Blocking List (CBL). ASNs establish the routing and originating IPs for email, and so the researcher was able to track spam messages back to their originating servers, and guess what? Spammers truly are creepy little rat-like denizens, in the sense that they come from bad neighborhoods.

The study found that a huge portion of the world’s spam traffic can be reduced to a very small number of sources, the ‘bad neighborhoods,’ per se. Almost half of the globe’s spam traffic has been identified as belonging to less than half of a percent of the world’s Internet providers, and that’s a promising new development in the ongoing war on spam.

“Just like in the real world, the internet has also “bad neighbourhoods” whose streets are not safe and where crime rates are higher than in other districts. Research into these “Bad Neighbourhoods on the Internet” can lead to better security solutions. To this end, Moura has carried out the first systematic investigation of malicious hosts, by monitoring and analysing network data. His main conclusion is that malicious activity is indeed concentrated in limited zones: areas in which the IP addresses show strong similarities, per ISP, or even per country. For instance, this PhD researcher found that 62% of the addresses at one ISP were related to spam. This knowledge can be used to link security measures to specific ISPs.”

Phishing Holes

If you’ve ever gone fishing, you know that when you find that one spot that’s good to you, you’ve found your favorite fishing hole, and none other will do. It’s somewhat the same for phishers, apparently. What’s also interesting about the study is how it identifies geographical ‘hot zones’ for different types of spamming activity.

“Different types of activities are associated with different parts of the world. For instance, spam comes mainly from southern Asian countries, while phishing occurs primarily in the United States and other developed countries.”

The main reason for the latter – the phishing activity – interestingly enough, is that the U.S. and other developed countries contain the most data centers and cloud computing providers. And we’ve long known that Asia has been a hotbed for spam activity, but knowing that such a huge amount of spam can be isolated to a few ‘bad neighborhoods’ is promising, to say the least.

Bad Eggs

It’s important, the University’s site writes:

“to distinguish between individual IP addresses that launch one-off attacks and a whole Bad Neighbourhood that almost always launches repeated attacks. This information, too, is very useful in terms of establishing a security strategy. The history of a Bad Neighbourhood, as identified by [Giovane Moura], can be of value here.”

Shock and Awe

The implications of this study are very encouraging, since we now know that spam and its related fraudulent activities can be isolated and identified in a few narrow spaces. Imagine being able to flick the switch on some of these ISPs and reduce the world’s spam by a significant margin. For example, the study identified a single ISP in Nigeria (where else?) where more than 60% of the ISPs traffic was spam-related.

Now that we know a huge chunk of the malicious code-based spam is coming from Asia, we may be able to develop additional defenses against messages originating in that area. Also, consider that now, because we know that phishing is isolated in the U.S. and more developed countries, we can focus anti-fraud efforts designed to target phishing-like activities in those countries.

The Sydney Morning Herald says it all, pointing out that the “most sobering statistic [of the study is] that just 20 ISPs – or less than 0.0005 per cent the world’s total 42,000 – represented almost 50 per cent of all spam sources.”

You may want to take the time to read the report. Copies of the report are available upon requests to the University of Twente.

2 Comments

It does look promising that spammers are concentrated in so few bad neighborhoods but I suppose if one neighborhood gets burned, it will quickly be replaced by a new one. We could play hide-and-seek for years and this won’t erase spam for sure.

I agree with Lisa that there’s some encouraging news in learning about most spammers targeting only a specific number of bad neighborhoods. This, however, does not in any way tell us that we should take spammers for granted. It only helps us determine how we should attack spam since we’ll know from where it originated.
We should come up with programs targeted specifically on fighting spam of phishing. In the end, everything depends on how much we know about bad neighborhoods and spam in general. While there is no surefire way of eliminating spam, there are countermeasures we can use.